An unsecured database that appeared to belong to a Netherlands-based medical lab exposed 1. 3 million records on the internet, adding COVID verification effects and other identifiable information, said a security researcher who discovered the treasure.
See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government
Jeremiah Fowler, a researcher at security vendor vpnMentor and co-founder of security services firm Security Discovery said in a report released Monday that the database, which lacked password protection, contained documents marked with the name and logo of Coronalab.eu, which is owned by Microbe & Lab, a medical laboratory based in Amsterdam.
The database’s approximately 1.3 million exposed records include 118,441 certificates, 506,663 appointments, 660,173 testing samples, and a small number of internal application files, Fowler said.
The leaked COVID control records include patients’ names, nationality, passport number and test results, as well as price, location and screening performed, the researcher said.
The knowledge base also contained thousands of QR codes and many Arraycsv files containing the main points of patients’ appointments and email addresses, he said. “Once non-public data and emails are exposed, cybercriminals may simply attempt to exploit this data or post targeted phishing campaigns with insider information. “or impersonate a lab employee. “
After locating the exposed database, Fowler said, he tried for several weeks to tap Microbe
“They never responded, and because the database was exposed for about two weeks after I first reported it, I sent follow-up emails to anyone who could find a solution,” Fowler told Information Security Media Group. I called the indexed number and spoke to someone who had told me a director, and that user didn’t take me seriously and seemed annoyed by what I said. “
The knowledge remained exposed until the researcher contacted Google, which hosted the knowledge base. Google “only provided the services and the misconfiguration was done through the user,” Fowler told ISMG.
“The hosting provider can make adjustments on the back-end and has the names and direct contact details of their customers so they can access them when security researchers can’t. “
The researcher said he doesn’t know how long the database was exposed before it was discovered, “but it would be shocking if it was exposed from the peak of the pandemic and went unnoticed for so long. “
“I guess what happened was that those documents needed to be available to patients so that they would be hosted on the server and then could be viewed in an internet browser, email or app,” he said. “During this process, they abandoned the entire database opens, not knowing that if anyone knew the trail of the file, they would be able to see the entire database. “
Fowler has exposed a number of knowledge bases exposed over the years that contain fitness knowledge and other sensitive knowledge, adding an unsecured knowledge base from an India-based medical lab that contained more than 12 million records last year. In this case, the entity, Redcliffe Labs, temporarily secured the knowledge base after Fowler contacted the company, he said (see: 12 Million Patient Medical Records, Other Discovered Insights Exposed on the Web).
But the recent Coronalab database exposure was especially concerning to Fowler. “I have been looking for COVID data for almost three years, and this is the first time I have seen any COVID-related documents” exposed in unsecured databases,” he told ISMG.
“I’ve uncovered many medical records over the years, but none compare to the chaos of the COVID era, where testing was virtually involuntary to live a general life. We traded our knowledge and non-public data for the freedom to travel, attend events, and “And medical and screening facilities probably wouldn’t have been prepared to deal with the vast influx of knowledge,” he said.
“In the event of a pandemic, we do not have the luxury of spending time on testing and development. There are many lessons to be learned from the COVID era, especially when it comes to knowledge security. “
Other experts say the lab incident highlights how healthcare entities outsource secure IT and other similar day-to-day tasks to third parties, such as cloud services companies, and then undervalue their own day-to-day data security tasks.
“Cloud computing offers greater security protections than fitness service providers can offer on their own,” said Adam Greene, a privacy attorney at the law firm Davis Wright Tremaine.
“But even the most secure door probably wouldn’t be smart if left open at night,” Greene said. “Organizations that employ cloud computing want to perceive what day-to-day jobs they have, especially with regard to technical configurations, and take a look at implementing systems to properly configure their cloud resources and audit those configurations. “
Regulatory attorney Brad Rostolsky, of the law firm Greenberg Traurig LLP, said data breaches involving misconfigurations are unfortunately becoming more common. “Especially when the regulated entity controls the security of cloud storage, it’s vital to be proactive,” he said.
“A smart solution is to check the parameters related to those types of databases and have two other people monitor things separately. Every once in a while, human error is the cause of life-saving (and easily avoidable) conditions and a momentary pair of eyes can be the solution. wonders,” Rostolsky said.
Incidents such as IT misconfigurations leading to primary healthcare knowledge breaches are also recurrent in the industry.
In some cases, health data breaches involving software or other computer misconfigurations that disclose patient data on the internet have led entities to pay significant regulatory fines or class-action settlements, and both.
Last October, Puerto Rico-based data center Iminmediata agreed to pay $1. 4 million to 31 states, plus Puerto Rico, to settle a lawsuit filed with Indiana’s attorney general over a coding error that revealed the physical and physical contact data of about 1. 5 million people. .
An investigation into the Immediate incident found that a coding incident allowed Bingbot to index two internet pages from May 16, 2016, to January 15, 2019, making people’s sensitive data visual and downloadable through online search engines.
In addition to the settlement with the states, Inmediata paid a $1.1 million in 2022 to settle a civil class action lawsuit against the company for the same incident (see: 33 State AGs Settle 3 Health Data Breach Cases).
To the exposure of the database involving Coronalab and Microbe
Microbe
Read more »
Log in now
Complete your profile and stay informed
Contact Support
Log in now
Sign in now
Our website uses cookies. Cookies allow us to provide the most productive experience imaginable and help us understand how visitors use our online site. By browsing govinfosecurity. com, you agree to our use of cookies.